Job Title: Director of Information Security and Compliance
Department: Information Technology
Reports To: Chief Enterprise Architect, or CIO
Prepared By: Jonathan Silber
Prepared Date: 14 February 2019
SUMMARY This individual will have ownership of strategic roadmaps and governance of program initiatives. Additional responsibilities will include regular review of Wheels process, client and vendor agreements, and evolving data protection and privacy legislation to identify gaps or opportunities and to champion initiatives.
ESSENTIAL DUTIES AND RESPONSIBILITIES include the following. Other duties may be assigned.
- Roadmap and Strategy
- Develop and Maintain a 3-year road map of projects and initiatives to enhance and update Wheels Information Security and Privacy program aligned with Wheels business strategy, client demand and evolving legislation
- Define a program of recurring assessments of policies, software solutions, IT process, and service delivery operations to assess compliance, gaps and opportunities
- Identify, scope and prioritize a mixed portfolio of projects across all of the above domains; champion the prioritization and funding of these projects
- Maintain awareness of evolving regulation and classification of information, especially PII, PCI and personal privacy as it relates to Wheels business
- Compliance Assessments, Audits and Certification
- SSAE-16 SOC2
- Govern the completion of SOC2 readiness activity in flight; and monitor ongoing compliance with enhanced processes as they are implemented
- Coordinate annual SOC2 assessment activity
- PCI Certification
- Complete PCI compliance gap assessment and define initiatives required to achieve compliance
- Coordinate annual PCI Self-Assessment
- Ensure Wheels is in compliance with statutory requirements (in the US and Canada) regarding personal information and procedures for disclosure of such information.
- In coordination with Wheels Executive Risk Committee (WERC), identify other required or beneficial certifications or attestations, then define and oversee initiatives required to achieve those certifications
- Information Classification
- In alignment with Wheels Information Security Group (ISG), periodically review and update Wheels Information Classification Policy and Information Handling Procedures to keep consistent with applicable data protection and privacy legislation
- Maintain a matrix of Information Subjects Areas and Information Owners
- Conduct periodic reviews Information Classification and compliance with Information Handling practices by each Information Owner, reporting compliance, gaps and opportunities to ISG and WERC
- Vendor Management
- Develop relationships with third-party vendors to provide services related to IT Audit and Compliance; Assessments or Certification; monitoring Privacy law; etc.
- Act as primary owner of the relationship with vendors these services to Wheels
- Maintain regular contact with vendor account team
- Regularly review performance and/or manage performance scorecards
- Participate in regular review of vendor offering and/or product roadmaps
- Identify new service opportunities, building business case and manage RFP and/or vendor selection for new vendor relationships
- Project Management
- Develop business case and proposals for new Information Security, Privacy and Compliance projects and initiatives
- Lead matrixed teams of internal and/or outsourced resources in delivery InfoSec projects, including
- implementation of new technology, processes or procedures
- security remediation or enhancement in Wheels custom application portfolio
- recurring third-party assessments
- Coordinate with Client Service, Business Operations and IT Operations, Applications Development and QA teams as required to deliver projects
- Regularly report on progress, issues, budget and achieved project goals
- Client & Supplier Contracting; Supplier Assessment
- Collaborate with Procurement and Client contract teams to review new contracts, especially regarding Information Security and Data Privacy terms
- Develop and revise standard contract clauses for supplier contracts
- Maintain supplier security, privacy and compliance assessment program, including:
- Maintain and update questionnaire(s) and process for assessments
- Prioritize, recommend and track suppliers due for assessments
- Track gaps and remediation activities required of suppliers, and report on these to WERC.
This position may or may not manage direct reports or may play a leadership role across matrixed teams assembled for specific projects and initiatives.
QUALIFICATIONS To perform this job successfully, an individual must be able to perform each essential duty satisfactorily. The requirements listed below are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
- Strong working knowledge of Information Security best practices, including familiarity with ISO 27000 series, SANS, NIST and/or, COBIT
- Strong working knowledge of IT Audit, Privacy and/or Compliance certification frameworks, including experience with SSAE-16 SOC2, PCI, FISMA, GLBA, SOX or similar.
- Experience applying recent and relevant data protection and privacy legislation, e.g., FCRA, DPPA, MA 201 CMR 17.00, CA 1798.29 and 1798.81-84, CA Consumer Privacy Act, CAN-SPAN, PIPEDA, GDPR, etc.
- Working knowledge of all aspects of Infrastructure technology, including networking, servers, storage, logging and security appliances, especially as relates to Information Security and Compliance
- Working knowledge of custom application development, especially involving sharing data across public Internet channels.
- Demonstrated track record of building a privacy and security compliance program through one-time initiatives and recurring and repeatable processes
- Experience defining business case, budgets and ROI for projects, technology purchases and/or process improvement initiatives
- Absolutely trustworthy with high standards of personal integrity.
- Proven ability to communicate security and compliance related concepts to a broad range of technical and non-technical staff, including executive management and Board of Directors, and to client and vendor business partners.
EDUCATION and/or EXPERIENCE
- Bachelor's degree in Computer Science, Information Security or related field of study; or commensurate working experience; MBA or master's degree in a related field preferred
- 10+ years of work experience in Information Technology, Compliance and/or IT Security-related role, with 5+ years in a leadership role
- 5+ years of experience directly managing teams of 5 or more people
- Legal education, or comparable work experience interpreting and applying data protection and privacy legislation as relevant to enterprise policy, processes and contract terms
- Prior experience developing and growing an information security and compliance program, especially preparing for SAS70, SSAE-16 SOC2, PCI and/or ISO 27001/2 certification
CERTIFICATES, LICENSES, REGISTRATIONS
- CISM, CISSP, CISSA, CISA or similar certification required; if certification is not currently held, commitment to achieve certification within 1 year of hire will be considered
WORK ENVIRONMENT and PHYSICAL DEMANDS
- General office environment
- 5-10% travel may be required